This is a demo of how to intercept and proxy HTTP and HTTPS requests from a mobile device without having to root the device (though it isn’t limited to mobile devices).
As an alternative to HAK5 WiFi Pineapple this might be the cheaper option, but obviously doesn’t have all the fancy features that a pineapple has.
Check out this, a script on how to abuse a WiFi Pinapple by Apox.
In short, it’s about ARP Poisoning the LAN network to route all traffic from the victim to me and then intercept and modify the HTTP/HTTPS requests and responses.
By using python flask server, I wanted to demonstrate how simple it would be to have the victim run malicious code.
In total, the whole project was about 100 lines of code and most of the time spent on this project was on writing this blog post.
Of course there are warnings of self-signed certificates, but that only applies to HTTPS.
Tools used in this demo
Burp Suite (by Portswigger) to intercept HTTP/S Requests.
Python Scapy Framework to ARP Poison the network and “reroute” traffic
Python flask to setup an easy and fast web server.
Flask isn’t necessarily required to accomplish this, but its a nice and handy tool for capturing and storing data like stolen cookies etc, sky’s the limit.
e.g You could easily create a SQLite database and store each client, request, session cookie, parameter value and so forth
How ARP Poisoning works, is that you broadcast malicious ARP Packets to your Layer 2 Network .
Basically, a device broadcasts to the network a packet asking “Who has this IP address” and to that question, the device that really does have that IP address sort of broadcasts into the network saying “its me”.
What we do here is we also say “its me”, which will override the legit response meaning that now the device thinks that we’re actually the gateway.
In order to make this bi-directional, we also need to poison the way back to the client, and we do.
defrot(self,victimIP, gatewayIP, interface):
self.poison(victimIP, victimMAC, gatewayIP, gatewayMAC)
In order to maintain the decomposing state of the network, we continue broadcasting the malicious ARP packets over and over again.
Below you can see it in action. Make note that both the “gateway” and the victim have the same MAC address (c4:85:08:8b:94:67) which actually is the MAC address of the attacker, which is us.
So now, the Frankenstein has been awakened, and the network is ours.
By utilizing tcpdump we can inspect and verify that indeed, the traffic is going through us.
In the above example, we can see a HTTP GET request to j3k.fi.
So now that we’re the man in the middle, we want to intercept the request before its going to where its supposed to.
For that we need to redirect traffic with iptables to our proxy of choice, which is Burp Suite in this case.
What I mean by Genie, is a hacker using Python Flask.
We are using a flask server to return HTTP Code 200 and some HTML code, more on this below..
With Python Flask, you can create an adhoc HTTP server to do basically whatever you want, as it is a Python framework, its just a matter of what you can or want do with it..
Back to Burp, capture and modify
On the mobile device, we browse to https://j3k.fi and what happens here is that our MiTM box, intercepts the request, replaces the real IP address of j3k.fi with what was defined in the Hostname Resolution setting in Burp Suite.
So now, the victim assumes that whatever response he gets, will be originating from real j3k.fi, when it really isn’t…
Voilà, we’ve now successfully sent the victim a messagebox saying ‘XSS’.
Hardly exciting huh?
https://rot.fi/wp-content/uploads/2017/10/ROT2-WHITE-BG.eps_-2.png00j3khttps://rot.fi/wp-content/uploads/2017/10/ROT2-WHITE-BG.eps_-2.pngj3k2017-02-07 12:25:362017-02-07 12:25:36Decomposing LAN security with Scapy and Burp Suite